On 05/01/2014 09:00, Kaspar Brand wrote: > On 03.01.2014 23:51, Dr Stephen Henson wrote: >> On 28/12/2013 13:34, Kaspar Brand wrote: >>> FYI: in r1553824 (which I just committed to trunk), I'm now manually >>> shuffling things around to support per-cert chains - but would happily >>> drop the "#if defined(SSL_CTX_set1_chain)"-enclosed code if you decide >>> to adapt SSL_CTX_use_certificate_chain_file in 1.0.2. >>> >> >> Now done for OpenSSL master and 1.0.2 branches. > > Thanks, I have removed the code in r1555463 therefore. Assuming that the > release of 1.0.2 isn't too far away by now, I have added a backport > proposal for 2.4.x. Votes/reviews welcome. (And while I have your > attention: could you perhaps have a look at OpenSSL's PRs #3178 and > #3183? Both would help in improving SNI-based configurations.) >
OK I'll have a look at those. One the subject of 1.0.2 would it be appropriate to set auto ecdh parameter selection as the default in mod_ssl where supported? As things stand one single curve can be set (with default P-256) and it's an all or nothing choice, with auto parameter selection the highest priority curve supported by both sides is used. Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 [email protected]
